It was a quiet Thursday morning in Bengaluru—one of those days where the inbox feels unusually light. I was sipping my second filter coffee when a colleague pinged me: “Hey, did you see this? Google wants to hire me.”
I knew something was off. The email looked slick—Google branding, a convincing job title, even a PDF attachment with a fake offer letter. But the sender domain? Definitely not Google. And the kicker? It was sent to their Microsoft 365 work account, not a personal Gmail.
Why I’m Writing This
I’ve been managing hybrid environments—Workspace and Microsoft 365—for years. Phishing attempts aren’t new, but this one was cleverly disguised as a job offer, and it hit multiple users across departments. I figured it’s time to share what I saw, how I responded, and what admins should watch for.
Step-by-Step: How the Scam Played Out
Here’s the anatomy of the attack, based on what I saw and what Hackread reported:
- Subject line: “Google Recruitment Team – Offer Letter Attached”
- Sender domain: Something like
careers-google[dot]orgorgooglejobs[dot]co, notgoogle.com - Attachment: A PDF with a fake job offer, complete with Google’s logo and HR-style formatting
- Call to action: “Click here to accept the offer and begin onboarding”—which led to a credential-harvesting site
What surprised me? The email bypassed Microsoft 365’s default spam filters. It was flagged only after Safe Links kicked in post-click. I’ve seen this happen before with zero-day phishing domains, but this one felt personal—like it was designed to exploit career ambition.
The Setup I Was Running
- Microsoft 365 E3 tenant with Defender for Office 365
- Workspace Business Plus for a few legacy teams
- Endpoint protection via Defender ATP
- Running Hyper-V on a ThinkPad X1 with 32GB RAM for sandbox testing
I tested the payload in a VM—no malware, just a credential phishing page. But the domain was fresh, registered less than 48 hours ago. That’s why it slipped past filters.
Bugs, Blind Spots, and “Wait, What?”
Not gonna lie, I was winging it at first. Most guides say to rely on Safe Attachments and Safe Links, but here’s the contradiction: if the domain is new and not yet blacklisted, those protections lag.
Also, Workspace didn’t catch it either. The email looked legit enough to pass SPF and DKIM checks. That’s the scary part—it wasn’t spoofed, it was socially engineered.
Workarounds and Lessons Learned
Here’s what I did—and what I recommend:
- Created a custom transport rule in Microsoft 365 to block emails with “Google” in the subject line from non-Google domains (temporary but effective)
- Enabled Zero-hour Auto Purge (ZAP) to retroactively remove similar emails once flagged
- Used Defender’s Threat Explorer to trace the campaign—turns out 7 users received variants
- Trained users with a quick Loom video: “How to spot fake job offers in your inbox”
- Reported the domain to Google and Microsoft via abuse forms
Lesson learned? Don’t rely solely on automated filters. Use behavioral cues and manual rules when needed.
Final Thoughts
This scam was a reminder that phishing isn’t just about tech—it’s about psychology. The attackers preyed on curiosity, ambition, and the prestige of a Google job. And they did it in a way that slipped past enterprise-grade defenses.
As admins, we need to think like attackers. What would you click on if you were tired, distracted, or hopeful?
Ever had a phishing email that made you pause? One that looked almost legit? Drop your story in the comments—or better yet, share your favorite detection trick. Let’s build a smarter defense together.
